On August 16, 2021, the Indian government filed an affidavit before the Supreme Court characterizing the petitions demanding a Pegasus inquiry as “based on conjectures and surmises.” The document offered no counter-evidence, no account of what surveillance programmes the state operated, and no explanation for why a list of Israeli spyware targets included the names of opposition politicians, a sitting cabinet minister, and a former election commissioner. Solicitor General Tushar Mehta, appearing for the Centre, declined to address those specifics and invoked national security. The affidavit ran to several pages and established, in substance, nothing.

Four years later, in May 2025, a California jury handed Meta Platforms a $167.3 million punitive damages award against NSO Group, the Israeli firm that manufactures Pegasus. The trial was public. Among the documents entered into evidence was a country-by-country breakdown of targets from NSO’s 2019 WhatsApp exploitation campaign: 456 in Mexico, 100 in India, 82 in Bahrain, 69 in Morocco, 58 in Pakistan. India ranked second globally. The government of India has not confirmed whether it procured Pegasus, offered a substantive affidavit explaining what its national security required, or accounted for why the phones of a former election commissioner and journalists covering the prime minister appeared on an NSO client’s target list during a parliamentary election year.

The official position, maintained across four years, three chief justices, and a change of benches, is that nothing has been established. The documented record, accumulated in forensic reports, sealed court filings, and a public American trial, suggests otherwise.

The 2021 List: What Was On It

In July 2021, the Forbidden Stories consortium, working with Amnesty International’s Security Lab, published the findings of the Pegasus Project: a cross-border investigation into a leaked database of more than 50,000 phone numbers that NSO Group clients had selected for potential surveillance. The list was not a confirmed record of successful infections; it was a register of targeting decisions made by NSO’s government customers. Forensic analysis of specific devices, conducted by the Security Lab on phones made available for examination, confirmed actual Pegasus infections in a subset of cases.

From India, approximately 300 verified numbers appeared in the database. The names associated with those numbers constituted, in part, an inventory of India’s democratic opposition and its independent press. Rahul Gandhi, then the most prominent opposition figure in the country. Prashant Kishore, the election strategist who had worked with Gandhi’s Congress party and was regarded as one of the most analytically sophisticated political operatives in South Asia. Ashwini Vaishnaw, simultaneously serving as Modi’s Minister of Electronics and Information Technology, the cabinet post responsible for overseeing India’s digital and telecommunications policy. Former Election Commissioner Ashok Lavasa, who had dissented from the Election Commission’s majority decisions on model code violations during the 2019 general election and subsequently resigned from the post.

The presence of Vaishnaw on a targeting list associated with NSO’s clients was not addressed in the government’s affidavit, nor at any subsequent hearing. A sitting minister from the ruling party, nominally an ally of the government that held contracts with NSO’s client network, appeared as a surveillance target. Vaishnaw acknowledged the controversy publicly by saying the government was “concerned,” and moved on. The question of who authorized his targeting has never been placed before any official anywhere in a compellable forum.

The broader list included journalists covering the prime minister’s office, national security correspondents, and editors of publications that had published investigative work on the government’s conduct. The targeting decisions tracked the geography of accountability journalism in India at a moment when press freedom conditions were tightening across the country, and they did so with a precision that is difficult to attribute to coincidence.

The Raveendran Committee: An Inquiry Designed Around Its Own Limits

The Supreme Court appointed an inquiry committee on October 27, 2021. The supervisory body was headed by Justice R.V. Raveendran, a retired Supreme Court judge with a reputation for independence. Assisting him were Alok Joshi, a retired Indian Police Service officer from the 1976 batch with an intelligence background, and Dr. Sundeep Oberoi, chair of a subcommittee of the International Organization for Standardization. The technical panel comprised three specialists in cybersecurity, digital forensics, and network hardware: Naveen Kumar Chaudhary, Prabaharan P., and Ashwin Anil Gumaste.

The mandate was explicit: inquire, investigate, and determine whether Pegasus had been used on Indian citizens. The committee solicited voluntary device submissions for forensic examination. This was the structural constraint that shaped every finding that followed. A committee that could compel nothing, that depended on voluntary cooperation from individuals who had reason to believe the state was monitoring them, that had no legal authority to subpoena NSO Group’s client records from Israel, and that could not compel the government of India to confirm or deny procurement, was an inquiry designed to produce a report, not accountability.

The government understood this. It refused to file a substantive affidavit on the procurement question throughout the committee’s work. The central issue, whether India had purchased Pegasus and directed its use against the individuals on the 2021 list, remained formally unanswered. The committee received twenty-nine devices voluntarily. Absent procurement confirmation, any forensic finding it made about malware on those devices would land in a definitional gap: malware found, Pegasus unconfirmed, source unknown. The government had constructed exactly the evidentiary ambiguity it needed.

The court had rejected the government’s offer to constitute its own expert committee in favour of the independent Raveendran appointment. Having lost that contest, the government declined to cooperate with the independent inquiry on the one question that would have resolved the matter. The architecture of inconclusion was built from both ends.

The Sealed Report: What Little the Court Made Public

On August 25, 2022, the Supreme Court announced the committee’s summary findings. The technical panel had found malware in five of the twenty-nine examined devices. The court stated that the panel could not conclusively establish whether the malware was Pegasus specifically. The full report was placed in a sealed cover. The supervisory findings from Raveendran, the technical panel’s methodology, the identities of the five device owners whose phones were found to contain malware, the complete scope of what three cybersecurity experts concluded over months of analysis: all of it entered the sealed record and has remained there.

No document beyond the narrow public summary has been released. The petitioners’ lawyers, including Senior Advocate Shyam Diwan, have argued consistently that the report belongs in the public domain, that the individuals whose phones were found to contain malware are entitled to know what the committee concluded about their devices, and that a democracy cannot adjudicate a surveillance scandal through proceedings whose core findings are available only to the judges who commissioned them. The court has not agreed. The sealed cover has not been opened.

2023: Active Deployment While the Inquiry Sat Dormant

The Supreme Court heard the Pegasus petitions elaborately for the last time in August 2022. The case then went quiet. No hearing date was scheduled. The petitioners had no mechanism to accelerate the docket, and the government had every reason to let the matter sit. Fourteen months passed without a substantive hearing, and in that interval the surveillance operations continued.

In June 2023, Amnesty International’s Security Lab flagged renewed Pegasus targeting activity directed at individuals in India during routine technical monitoring. In October 2023, Apple sent threat notifications to iPhone users in more than 150 countries, warning them they may have been targeted by state-sponsored attackers. In India, more than twenty journalists and opposition politicians reported receiving these warnings. The Ministry of Electronics and Information Technology, led by Vaishnaw, said the government was “concerned” and would investigate.

Amnesty’s Security Lab undertook forensic analysis on devices belonging to individuals who had received Apple’s notifications. The findings appeared in December 2023, published jointly with The Washington Post. The Lab confirmed Pegasus activity on the devices of two individuals: Siddharth Varadarajan, founding editor of The Wire, and Anand Mangnale, South Asia editor of the Organized Crime and Corruption Reporting Project. On Mangnale’s device, the Security Lab recovered evidence of a zero-click exploit delivered over iMessage on August 23, 2023. The phone was running iOS 16.6, the most current version available at the time.

A zero-click exploit requires nothing from the target: no link clicked, no attachment opened, no interaction of any kind. The phone receives a transmission through a standard communication channel and the spyware installs. The specific exploit recovered from Mangnale’s device was consistent with NSO Group’s BLASTPASS technique, identified by Citizen Lab in September 2021 and patched by Apple in iOS 16.6.1, a patch that did not yet exist when the exploit reached Mangnale’s phone on August 23. The Lab identified an attacker-controlled email address used as part of the operation on his device. Whether the exploit succeeded in fully compromising the phone, the Lab noted, remained unclear from the forensic record available.

This was active deployment, confirmed forensically by Amnesty International, occurring in August 2023: two years after the government had described the entire controversy as conjecture, eleven months after the Supreme Court sealed its inquiry findings, and while the case lay on the docket without a scheduled hearing. Varadarajan’s Wire had published detailed investigative reporting on the government’s management of the 2002 Gujarat communal violence, on the Adani Group’s financial structure and its relationship to state procurement, and on Hindutva’s institutional reach into the civil services and judiciary. Mangnale’s work at OCCRP focused on organized crime and financial flows across South Asia, including reporting connected to figures within Modi’s political network. The selection of both journalists in 2023 was not incidental to their work.

The California Trial: What a Public Record Contains

The litigation Meta filed against NSO Group in 2019, alleging that NSO had exploited a WhatsApp vulnerability to install Pegasus on approximately 1,400 devices, moved slowly through the American court system. NSO contested jurisdiction, invoked sovereign immunity arguments on behalf of its government clients, and sought dismissal at multiple stages. A US appeals court rejected NSO’s immunity claims in 2020. In January 2025, Judge Phyllis Hamilton found that NSO had violated US federal hacking statutes and California law. The question of damages went to a jury.

The trial produced something the Raveendran committee could not: a formal evidentiary record, entered into a public proceeding and available for inspection, naming the countries whose citizens NSO’s infrastructure had been used against. The Victim Country Count, designated as such in the court filing, listed 1,223 individuals across 51 countries targeted during the 2019 WhatsApp campaign. India appeared at 100 victims, second only to Mexico’s 456. The named Indian targets confirmed across trial records and the Forbidden Stories investigation included Gandhi, Kishore, Vaishnaw, and Lavasa. In May 2025, the jury awarded $444,719 in compensatory damages and $167.3 million in punitive damages against NSO Group, one of the most significant legal defeats ever recorded against a commercial spyware vendor.

The geography of the victim list is worth examining as a whole. Mexico, India, Bahrain, Morocco, Pakistan, Indonesia: the Global South accounts for the overwhelming majority of the 51 countries represented. The United States contributed one victim; Canada two; the United Kingdom two; France seven. Spain, where Pegasus was eventually confirmed against the prime minister and defence minister, contributed twenty-two. The spyware sold to governments as a counterterrorism and serious crime instrument was deployed most heavily against countries whose institutions were least positioned to investigate its use or constrain its operators.

The Indian government’s response to the verdict and the country count document was silence: no affidavit filed, no minister addressing the finding. Congress party general secretary Randeep Surjewala asked whether the Supreme Court would now conduct further inquiry in light of the US ruling. The court scheduled a hearing for April 29, 2025.

April 29, 2025: The Court Speaks

The April 29 hearing produced the clearest statement of the court’s position in four years of proceedings. Justice Surya Kant asked, from the bench: “What is wrong if the country uses spyware? Let us be clear: there is no issue with having spyware. Let us not compromise the security of the nation. Using it against whom is the question.” The court confirmed that the technical panel’s report would not be made public. Any examination of whether specific individuals had been wrongly targeted would proceed, if at all, through further sealed examination by the judges. The next hearing was set for July 30, 2025.

The court’s formulation deserves to be read carefully, because it moved the entire proceeding onto new ground. The question before the court had been whether the government used Pegasus against journalists, politicians, and civil society figures without lawful authority, transparency, or any mechanism of judicial oversight. The bench’s April 29 statement reframed the question as one of misuse rather than use: not whether a democracy should operate covert spyware programmes against its own citizens without public legal accountability, but only whether any particular targeting decision was inappropriate. The distinction matters. It accepts the premise that such programmes are legitimate, requires the court to make targeting judgments in sealed chambers, and forecloses the structural question entirely: whether the Indian state has the legal architecture, oversight mechanisms, and transparency requirements that a programme of this scale demands.

In accepting that framing, the court converged with the position the government had announced in its August 2021 affidavit: that national security was the dispositive consideration and that disclosure was precluded. The path from that affidavit to the April 2025 bench statement is a straight line. The government declined to cooperate with the committee. The committee found malware but could not name it. The report was sealed. The surveillance continued. The trial in California produced a country count. The court said there was nothing wrong with the instrument and scheduled another hearing.

The Architecture of Impunity, Working as Designed

The structure of India’s response to the Pegasus revelations was not improvised. Each institutional decision reinforced the one before it. The refusal to file a substantive affidavit established the precedent that procurement information was not subject to judicial disclosure. The offer to constitute a government-controlled expert committee, rejected by the court, demonstrated the government’s preferred model of investigation: one it controlled. The non-cooperation with the independent Raveendran committee on the procurement question ensured that the committee’s findings would be definitionally incomplete. The sealing of those findings removed the ambiguity from public scrutiny. The fresh deployment of the spyware in 2023, while the case sat dormant on the docket, demonstrated that the legal proceedings had imposed no operational constraint on the programme they were nominally investigating.

The record from comparable cases elsewhere is instructive. In Mexico, a federal court ordered investigations into Pegasus use against journalists. In Spain, parliamentary proceedings produced testimony and a resignation from the intelligence chief. In Hungary, a European Parliament committee named NSO’s Hungarian deployments in its published report. In India, the Supreme Court’s own expert panel found malware on five phones from twenty-nine submitted devices, and the court sealed the findings, declined to identify what the malware was or who owned the five phones it was found on, and four years later announced from the bench that the only question worth asking was whom, not whether.

The individuals whose phones were examined but whose findings remain in a sealed cover do not know what the committee concluded about their devices. Varadarajan and Mangnale, whose 2023 infections were confirmed by Amnesty forensics conducted outside the court’s proceedings entirely, know what happened to their phones only because a civil society laboratory did the work the Indian state declined to commission. The opposition politicians and journalists on the 2021 list know their phones were targeted because a European media consortium published a leaked database. The court-appointed committee that spent months examining devices remains sealed in a cover that was never meant to be opened.

Accountability for commercial spyware deployment depends almost entirely on the willingness of domestic courts to compel government disclosure. In India, the Supreme Court conducted the inquiry, received the findings, sealed the findings, and then said the question was one of targeting decisions, not operational legitimacy. The government’s 2021 affidavit had called the petitions conjecture. The court’s 2025 bench statement called spyware tools of national security. The distance between those two positions, measured in what they require of the government, is negligible.

The Question the Court Will Not Ask

The July 30, 2025 hearing may address whether the sealed report should be released to the petitioners’ lawyers, and whether the five individuals whose phones were found to contain malware will be informed of what the committee concluded. The court may also consider the implications of the Meta trial’s country count, which entered the public record in May 2025 and placed India at 100 confirmed targets in the 2019 WhatsApp campaign.

What the July 30 hearing will not address, because no forum has yet placed it in compellable form, is whether the Indian government was an NSO customer, who authorized the targeting decisions documented across the 2021 list, under what legal authority those decisions were made, and what oversight mechanism, if any, governed a programme that extended to the phones of an opposition leader, a sitting cabinet minister, a former election commissioner, and at minimum two journalists whose forensic infections were confirmed by independent laboratories years after the formal inquiry concluded.

That question has not been asked in any proceeding anywhere in the world in a form that requires an answer from the Indian state. Whether the July 30 hearing changes that is the only thing left to determine.